SparklingGoblin APT adds a new Linux variant of SideWalk implant to its arsenal

China-linked SparklingGoblin APT was spotted using a Linux variant of a backdoor known as SideWalk against a Hong Kong university.

Researchers from ESET discovered a Linux variant of the SideWalk backdoor, which is a custom implant used by the China-linked SparklingGoblin APT group.

The SparklingGoblin APT is believed to be a group that operated under the umbrella of the China-linked Winnti (aka APT41) cyberespionage group.

Most of SparklingGoblin’s victims are in East and Southeast Asia, with a particular focus on the academic sector.

The new variant was employed by threat actors in attacks against a Hong Kong university in February 2021, which had already been targeted by SparklingGoblin during the student protests in May 2020.

“SparklingGoblin first compromised this particular university in May 2020, and we first detected the Linux variant of SideWalk in that university’s network in February 2021.” reads the report published by ESET. “The group continuously targeted this organization over a long period of time, successfully compromising multiple key servers, including a print server, an email server, and a server used to manage student schedules and course registrations.”

SideWalk has a modular structure that allows the malware to dynamically load additional modules fetched from the C&C server. The experts reported that the backdoor relies on Google Docs as a dead drop resolver, and uses Cloudflare workers as a C&C server.

The new variant of SideWalk was also detailed by 360 Netlab researchers that tracked it as Specter RAT.

Researchers first detailed the Linux variant on July 2nd, 2021, and initially tracked it as StageClient (due to numerous instances of the word ‘StageClient’ in the code) without connecting at that time to SparklingGoblin and to the SideWalk backdoor.

ESET researchers have yet to discover hot the attack chain starts, they speculaùte that the initial attack vector could have been the exploitation of publicly available services.

ESET found many similarities between SideWalk Windows and SideWalk Linux, including portion of the source code. The experts also discovered that one of the samples of the Linux variant was using a command-and-control address (66.42.103[.]222) that was previously associated with the activity of the SparklingGoblin threat actor.

ESET also detailed other similarities, including the implementations of ChaCha20 encryption, the use of multiple threads to execute one specific task, the decryption of the configuration using the ChaCha20 algorithm, and the use of the same dead drop resolver payload.

The experts reported that the malware communicates with the infected machine and the C&C using HTTP or HTTPS, depending on the configuration, but in both cases, the data is serialized in the same way.

Comparing Windows and Linux variants, experts observed that four commands are not implemented or implemented differently in the Linux variant:

Command ID (from C&C)	Windows variants	Linux variants
0x7C	Load a plugin sent by the C&C server.	Not implemented in SideWalk Linux.
0x82	Collect domain information about running processes, and owners (owner SID, account name, process name, domain information).	Do nothing.
0x8C	Data serialization function.	Commands that are not handled, but fall in the default case, which is broadcasting a message to all the loaded modules.
0x8E	Write the received data to the file located at %AllUsersProfile%\UTXP\nat\<filename>, where <filename> is a hash of the value returned by VirtualAlloc at each execution of the malware.

“The backdoor that was used to attack a Hong Kong university in February 2021 is the same malware family as the SideWalk backdoor, and actually is a Linux variant of the backdoor. This Linux version exhibits several similarities with its Windows counterpart along with various novelties.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, SideWalk)

[adrotate banner=”5″]

[adrotate banner=”13″]